#!/bin/sh # auto_ida_viruse.sh,v 0.2 2004/05/22 18:19:18 Kreny LOG_FILE1='/usr/local/apache2/logs/www.domain1.com-access_log' LOG_FILE2='/usr/local/apache2/logs/www.domain2.com-access_log' CHAIN_NAME='RH-Lokkit-0-50-INPUT' DATE=`date` SPAM_MAIL_DIR='/home/user/sa-learn/spam' FILE_PATH='/home/user/public_html/log' IDE_FILE='ida_ip.txt' VIRUSE_FILE='viruse_ip.txt' REJECT_FILE='reject_ip.txt' SPAM_FILE='smap_ip.txt' ### List the NULL.ida Scanner's IPs printf "Listing the NULL.ida Scanner's IPs. Please wait...\n" awk '/NULL.IDA/ {print $1}' $LOG_FILE1 $LOG_FILE2 | sort -u > $FILE_PATH/$IDE_FILE ### List the viruse SMTP IPs printf "Listing the viruse SMTP IPs. Please wait...\n" awk '/HELO/ {print gensub(/\((.*)\)/,"\\1", 1, $6)}' /var/spool/qmailscan/quarantine/new/* | sort -u > $FILE_PATH/$VIRUSE_FILE ### List the Spam-mail SMTP IPs printf "Listing the Spam-mail SMTP IPs. Please wait...\n" awk '/HELO/&&$6~/\[/ {print gensub(/\(\[(.*)\]\)/,"\\1", 1, $6)}' $SPAM_MAIL_DIR/* | sort -u > $FILE_PATH/$SPAM_FILE awk '/HELO/&&$6!~/\[/ {print gensub(/\((.*)\)/,"\\1", 1, $6)}' $SPAM_MAIL_DIR/* | sort -u >> $FILE_PATH/$SPAM_FILE ### If you copy the file from windows, you have to do a dos2unix #/usr/bin/dos2unix -k -n $FILE_PATH/$SPAM_FILE $FILE_PATH/spam.tmp #mv -f $FILE_PATH/spam.tmp $FILE_PATH/$SPAM_FILE #/bin/chmod 0644 $FILE_PATH/$SPAM_FILE ### List the REJECT IPs from iptables printf "Listing the REJECT IPs. Please wait...\n" awk '/REJECT/&&/-s/{print $5}' /etc/sysconfig/iptables |sort -u > $FILE_PATH/$REJECT_FILE ### Add the rules to iptables # NOTE: you HAVE to add the /sbin/ before iptables. printf "Updating the iptables rules. Please wait...\n" /sbin/iptables --flush ### Add the default or custom rules ### /sbin/iptables -A INPUT -j RH-Lokkit-0-50-INPUT /sbin/iptables -A FORWARD -j RH-Lokkit-0-50-INPUT /sbin/iptables -A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT /sbin/iptables -A RH-Lokkit-0-50-INPUT -i eth0 -j ACCEPT /sbin/iptables -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j REJECT /sbin/iptables -A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT /sbin/iptables -A RH-Lokkit-0-50-INPUT -s "220.98.121.7" -j ACCEPT ### Add the new ip list ### sort -u $FILE_PATH\/*_ip.txt | awk '{system("/sbin/iptables -A '$CHAIN_NAME' -s "$0" -j REJECT ")}' /sbin/service iptables save awk '/REJECT/&&/-s/{print $5}' /etc/sysconfig/iptables |sort -u > $FILE_PATH/$REJECT_FILE printf "Done! \t Completed on `date`\n" ###### Change Log ###### # # FROM: # less /var/spool/qmailscan/quarantine/new/*| grep 'HELO' | awk '{print $6}' | cut -d \( -f2 | cut -d \) -f1 | sort -u > $VIRUSE_FILE # # ºÄʱ # ----- real 0m8.131s # ----- user 0m4.530s # ----- sys 0m3.580s # # TO: # awk '/HELO/ {print gensub(/\((.*)\)/,"\\1", 1, $6)}' /var/spool/qmailscan/quarantine/new/* | sort -u > $VIRUSE_FILE # # ºÄʱ # ----- real 0m3.305s # ----- user 0m3.280s # ----- sys 0m0.020s # # FROM: # less /etc/sysconfig/iptables | grep "REJECT" | awk '{print $5}' | sort -u > $REJECT_FILE # TO: # awk '/REJECT/{print $5}' /etc/sysconfig/iptables |sort -u > $REJECT_FILE # # FROM: # cat $FILE_PATH\/*_ip.txt | sort -u | awk '{system("iptables -A '$CHAIN_NAME' -s "$0" -j REJECT ")}' # TO: # sort -u $FILE_PATH\/*_ip.txt | awk '{system("iptables -A '$CHAIN_NAME' -s "$0" -j REJECT ")}' #